r2184 - in trunk/kernel/source: kernel-source-2.6.8-2.6.8/debian kernel-source-2.6.8-2.6.8/debian/patches kernel-source-2.6.8-2.6.8/debian/patches/series kernel-source-2.6.9-2.6.9/debian kernel-source-2.6.9-2.6.9/debian/patches kernel-source-2.6.9-2.6.9/debian/patches/series
Andres Salomon
dilinger-guest@costa.debian.org
Sat, 08 Jan 2005 10:48:02 +0100
Author: dilinger-guest
Date: 2005-01-08 10:48:00 +0100 (Sat, 08 Jan 2005)
New Revision: 2184
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/028-do_brk_security_fixes.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/029-random_poolsize_overflow.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/030-moxa_user_copy_checking.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/028-do_brk_security_fixes.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/029-random_poolsize_overflow.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/030-moxa_user_copy_checking.dpatch
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-12
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-5
Log:
* [SECURITY] 028-do_brk_security_fixes.dpatch
Drop Marcelo's fix for this; use Linus' instead.
Fix local root vulnerability for various do_brk() calls;
ensure an exclusive lock on memory while modifying it; CAN-2004-1235
(Andres Salomon) (closes: #289155).
* [SECURITY] 029-random_poolsize_overflow.dpatch
drivers/char/random allows you to set the poolsize; its sanity checking
on that input isn's very good. We fix that here.
See http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html for
more details. This fixes #3 on that list (Andres Salomon).
* [SECURITY] 030-moxa_user_copy_checking.dpatch
The moxa driver does some ugly things w/ signed integers. This fixes
#4 on Brad Spengler's advisory (Andres Salomon).
* [SECURITY] 031-sg_scsi_ioctl_int_overflows.dpatch
SG ioctl stuff doesn't actually check whether the scsi command length
is positive. #5 on the above advisory (Andres Salomon).
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-01-08 09:48:00 UTC (rev 2184)
@@ -15,6 +15,26 @@
* [alpha] Added a fix for ext3 oops. (Norbert Tretkowski)
+ * [SECURITY] 028-do_brk_security_fixes.dpatch
+ Drop Marcelo's fix for this; use Linus' instead.
+ Fix local root vulnerability for various do_brk() calls;
+ ensure an exclusive lock on memory while modifying it; CAN-2004-1235
+ (Andres Salomon) (closes: #289155).
+
+ * [SECURITY] 029-random_poolsize_overflow.dpatch
+ drivers/char/random allows you to set the poolsize; its sanity checking
+ on that input isn's very good. We fix that here.
+ See http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html for
+ more details. This fixes #3 on that list (Andres Salomon).
+
+ * [SECURITY] 030-moxa_user_copy_checking.dpatch
+ The moxa driver does some ugly things w/ signed integers. This fixes
+ #4 on Brad Spengler's advisory (Andres Salomon).
+
+ * [SECURITY] 031-sg_scsi_ioctl_int_overflows.dpatch
+ SG ioctl stuff doesn't actually check whether the scsi command length
+ is positive. #5 on the above advisory (Andres Salomon).
+
-- Norbert Tretkowski <nobse@debian.org> Fri, 07 Jan 2005 18:11:35 +0100
kernel-source-2.6.8 (2.6.8-11) unstable; urgency=high
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/028-do_brk_security_fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/028-do_brk_security_fixes.dpatch 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/028-do_brk_security_fixes.dpatch 2005-01-08 09:48:00 UTC (rev 2184)
@@ -0,0 +1,58 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix do_brk() locking in library loader
+## DP: Patch author: torvalds@ppc970.osdl.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/07 15:58:52-08:00 torvalds@ppc970.osdl.org
+# Fix do_brk() locking in library loader
+#
+# The regular executable loader path doesn't need the locking,
+# because it's the only user of its VM. But the same is not true
+# at library load time. So get the mmap semaphore.
+#
+# fs/binfmt_aout.c
+# 2005/01/07 15:58:44-08:00 torvalds@ppc970.osdl.org +2 -0
+# Fix do_brk() locking in library loader
+#
+# fs/binfmt_elf.c
+# 2005/01/07 15:58:45-08:00 torvalds@ppc970.osdl.org +4 -1
+# Fix do_brk() locking in library loader
+#
+diff -Nru a/fs/binfmt_aout.c b/fs/binfmt_aout.c
+--- a/fs/binfmt_aout.c 2005-01-08 01:41:21 -08:00
++++ b/fs/binfmt_aout.c 2005-01-08 01:41:21 -08:00
+@@ -512,7 +512,9 @@
+ len = PAGE_ALIGN(ex.a_text + ex.a_data);
+ bss = ex.a_text + ex.a_data + ex.a_bss;
+ if (bss > len) {
++ down_write(¤t->mm->mmap_sem);
+ error = do_brk(start_addr + len, bss - len);
++ up_write(¤t->mm->mmap_sem);
+ retval = error;
+ if (error != start_addr + len)
+ goto out;
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2005-01-08 01:41:21 -08:00
++++ b/fs/binfmt_elf.c 2005-01-08 01:41:21 -08:00
+@@ -1024,8 +1024,11 @@
+
+ len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
+ bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
+- if (bss > len)
++ if (bss > len) {
++ down_write(¤t->mm->mmap_sem);
+ do_brk(len, bss - len);
++ up_write(¤t->mm->mmap_sem);
++ }
+ error = 0;
+
+ out_free_ph:
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/029-random_poolsize_overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/029-random_poolsize_overflow.dpatch 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/029-random_poolsize_overflow.dpatch 2005-01-08 09:48:00 UTC (rev 2184)
@@ -0,0 +1,55 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] check user-supplied length before copy_from_user
+## DP: Patch author: Andres Salomon <dilinger@voxel.net>
+## DP: Upstream status: not yet submitted
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+Revision: linux-drivers-char--ps-int-overflow--0--patch-1
+Archive: dilinger@voxel.net--2005-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Fri Jan 7 17:45:21 EST 2005
+Standard-date: 2005-01-07 22:45:21 GMT
+Modified-files: random.c
+New-patches: dilinger@voxel.net--2005-public/linux-drivers-char--ps-int-overflow--0--patch-1
+Summary: integer overflow fix for poolsize_strategy()
+Keywords:
+
+Pointed out by Brad Spengler here:
+http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html
+
+The fix is simple; we're passed a size_t (generally an unsigned int
+or unsigned long, depending on arch); copy_from_user expects an
+unsigned long. We can simply cast it to an unsigned long; table->maxlen
+guarantees that we'll always have a small amount, anyways.
+
+
+* modified files
+
+--- orig/drivers/char/random.c
++++ mod/drivers/char/random.c
+@@ -1906,7 +1906,7 @@
+ void __user *oldval, size_t __user *oldlenp,
+ void __user *newval, size_t newlen, void **context)
+ {
+- int len;
++ unsigned long len;
+
+ sysctl_poolsize = random_state->poolinfo.POOLBYTES;
+
+@@ -1916,7 +1916,7 @@
+ * write case happens twice; it's harmless).
+ */
+ if (newval && newlen) {
+- len = newlen;
++ len = (unsigned long) newlen;
+ if (len > table->maxlen)
+ len = table->maxlen;
+ if (copy_from_user(table->data, newval, len))
+
+
+
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/030-moxa_user_copy_checking.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/030-moxa_user_copy_checking.dpatch 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/030-moxa_user_copy_checking.dpatch 2005-01-08 09:48:00 UTC (rev 2184)
@@ -0,0 +1,69 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] make the moxa driver check user supplied lengths before doing copy_from_users
+## DP: Patch author: Andres Salomon <dilinger@voxel.net>
+## DP: Upstream status: not yet submitted
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+Revision: linux-drivers-char--moxa-overflow--0--patch-1
+Archive: dilinger@voxel.net--2005-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Fri Jan 7 18:05:38 EST 2005
+Standard-date: 2005-01-07 23:05:38 GMT
+Modified-files: moxa.c
+New-patches: dilinger@voxel.net--2005-public/linux-drivers-char--moxa-overflow--0--patch-1
+Summary: sanity check dltmp.len size before all copy_from_user() calls
+Keywords:
+
+Make sure the length we're passing copy_from_user() is never negative or
+too large for moxaBuff.
+
+
+
+* modified files
+
+--- orig/drivers/char/moxa.c
++++ mod/drivers/char/moxa.c
+@@ -1666,7 +1666,7 @@
+
+ if(copy_from_user(&dltmp, argp, sizeof(struct dl_str)))
+ return -EFAULT;
+- if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS)
++ if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS || dltmp.len < 0)
+ return -EINVAL;
+
+ switch(cmd)
+@@ -2775,6 +2775,8 @@
+ void __iomem *baseAddr;
+ int i;
+
++ if(len < 0 || len > sizeof(moxaBuff))
++ return -EINVAL;
+ if(copy_from_user(moxaBuff, tmp, len))
+ return -EFAULT;
+ baseAddr = moxaBaseAddr[cardno];
+@@ -2822,7 +2824,7 @@
+ void __iomem *baseAddr;
+ int i;
+
+- if(len > sizeof(moxaBuff))
++ if(len < 0 || len > sizeof(moxaBuff))
+ return -EINVAL;
+ if(copy_from_user(moxaBuff, tmp, len))
+ return -EFAULT;
+@@ -2842,6 +2844,8 @@
+ void __iomem *baseAddr, *ofsAddr;
+ int retval, port, i;
+
++ if(len < 0 || len > sizeof(moxaBuff))
++ return -EINVAL;
+ if(copy_from_user(moxaBuff, tmp, len))
+ return -EFAULT;
+ baseAddr = moxaBaseAddr[cardno];
+
+
+
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch 2005-01-08 09:48:00 UTC (rev 2184)
@@ -0,0 +1,43 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix exploitable hole in sg_scsi_ioctl
+## DP: Patch author: James Bottomley <James.Bottomley@SteelEye.com>
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/07 16:38:51-05:00 jejb@mulgrave.(none)
+# Fix exploitable hole in sg_scsi_ioctl
+#
+# in_len and out_len are signed quantites copied from
+# user space but are only checked to see if they're >
+# PAGE_SIZE. The exploit would be to pass in a negative
+# quantity which would pass the check.
+#
+# Fix by making them unsigned.
+#
+# Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+#
+# drivers/block/scsi_ioctl.c
+# 2005/01/07 16:36:05-05:00 jejb@mulgrave.(none) +2 -1
+# Fix exploitable hole in sg_scsi_ioctl
+#
+diff -Nru a/drivers/block/scsi_ioctl.c b/drivers/block/scsi_ioctl.c
+--- a/drivers/block/scsi_ioctl.c 2005-01-07 17:24:38 -08:00
++++ b/drivers/block/scsi_ioctl.c 2005-01-07 17:24:38 -08:00
+@@ -339,7 +339,8 @@
+ struct gendisk *bd_disk, Scsi_Ioctl_Command __user *sic)
+ {
+ struct request *rq;
+- int err, in_len, out_len, bytes, opcode, cmdlen;
++ int err;
++ unsigned int in_len, out_len, bytes, opcode, cmdlen;
+ char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
+
+ /*
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-12
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-12 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-12 2005-01-08 09:48:00 UTC (rev 2184)
@@ -1,4 +1,7 @@
+ powerpc-prep-powerstack-irq.dpatch
-+ sec_brk-locked.dpatch
+ qla1280-isp1040.dpatch
+ fix-alpha-ext3-oops.dpatch
++ 028-do_brk_security_fixes.dpatch
++ 029-random_poolsize_overflow.dpatch
++ 030-moxa_user_copy_checking.dpatch
++ 031-sg_scsi_ioctl_int_overflows.dpatch
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/changelog 2005-01-08 09:48:00 UTC (rev 2184)
@@ -24,6 +24,26 @@
local attacker to execute code as root; CAN-2004-1235.
(Maximilian Attems)
+ * [SECURITY] 028-do_brk_security_fixes.dpatch
+ Drop Marcelo's fix, use Linus' instead.
+ Fix local root vulnerability for various do_brk() calls;
+ ensure an exclusive lock on memory while modifying it; CAN-2004-1235
+ (Andres Salomon) (closes: #289155).
+
+ * [SECURITY] 029-random_poolsize_overflow.dpatch
+ drivers/char/random allows you to set the poolsize; its sanity checking
+ on that input isn's very good. We fix that here.
+ See http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html for
+ more details. This fixes #3 on that list (Andres Salomon).
+
+ * [SECURITY] 030-moxa_user_copy_checking.dpatch
+ The moxa driver does some ugly things w/ signed integers. This fixes
+ #4 on Brad Spengler's advisory (Andres Salomon).
+
+ * [SECURITY] 031-sg_scsi_ioctl_int_overflows.dpatch
+ SG ioctl stuff doesn't actually check whether the scsi command length
+ is positive. #5 on the above advisory (Andres Salomon).
+
-- Simon Horman <horms@debian.org> Fri, 7 Jan 2005 15:07:39 +0900
kernel-source-2.6.9 (2.6.9-4) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/028-do_brk_security_fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/028-do_brk_security_fixes.dpatch 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/028-do_brk_security_fixes.dpatch 2005-01-08 09:48:00 UTC (rev 2184)
@@ -0,0 +1,58 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix do_brk() locking in library loader
+## DP: Patch author: torvalds@ppc970.osdl.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/07 15:58:52-08:00 torvalds@ppc970.osdl.org
+# Fix do_brk() locking in library loader
+#
+# The regular executable loader path doesn't need the locking,
+# because it's the only user of its VM. But the same is not true
+# at library load time. So get the mmap semaphore.
+#
+# fs/binfmt_aout.c
+# 2005/01/07 15:58:44-08:00 torvalds@ppc970.osdl.org +2 -0
+# Fix do_brk() locking in library loader
+#
+# fs/binfmt_elf.c
+# 2005/01/07 15:58:45-08:00 torvalds@ppc970.osdl.org +4 -1
+# Fix do_brk() locking in library loader
+#
+diff -Nru a/fs/binfmt_aout.c b/fs/binfmt_aout.c
+--- a/fs/binfmt_aout.c 2005-01-08 01:41:21 -08:00
++++ b/fs/binfmt_aout.c 2005-01-08 01:41:21 -08:00
+@@ -512,7 +512,9 @@
+ len = PAGE_ALIGN(ex.a_text + ex.a_data);
+ bss = ex.a_text + ex.a_data + ex.a_bss;
+ if (bss > len) {
++ down_write(¤t->mm->mmap_sem);
+ error = do_brk(start_addr + len, bss - len);
++ up_write(¤t->mm->mmap_sem);
+ retval = error;
+ if (error != start_addr + len)
+ goto out;
+diff -Nru a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2005-01-08 01:41:21 -08:00
++++ b/fs/binfmt_elf.c 2005-01-08 01:41:21 -08:00
+@@ -1024,8 +1024,11 @@
+
+ len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
+ bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
+- if (bss > len)
++ if (bss > len) {
++ down_write(¤t->mm->mmap_sem);
+ do_brk(len, bss - len);
++ up_write(¤t->mm->mmap_sem);
++ }
+ error = 0;
+
+ out_free_ph:
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/029-random_poolsize_overflow.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/029-random_poolsize_overflow.dpatch 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/029-random_poolsize_overflow.dpatch 2005-01-08 09:48:00 UTC (rev 2184)
@@ -0,0 +1,55 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] check user-supplied length before copy_from_user
+## DP: Patch author: Andres Salomon <dilinger@voxel.net>
+## DP: Upstream status: not yet submitted
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+Revision: linux-drivers-char--ps-int-overflow--0--patch-1
+Archive: dilinger@voxel.net--2005-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Fri Jan 7 17:45:21 EST 2005
+Standard-date: 2005-01-07 22:45:21 GMT
+Modified-files: random.c
+New-patches: dilinger@voxel.net--2005-public/linux-drivers-char--ps-int-overflow--0--patch-1
+Summary: integer overflow fix for poolsize_strategy()
+Keywords:
+
+Pointed out by Brad Spengler here:
+http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html
+
+The fix is simple; we're passed a size_t (generally an unsigned int
+or unsigned long, depending on arch); copy_from_user expects an
+unsigned long. We can simply cast it to an unsigned long; table->maxlen
+guarantees that we'll always have a small amount, anyways.
+
+
+* modified files
+
+--- orig/drivers/char/random.c
++++ mod/drivers/char/random.c
+@@ -1906,7 +1906,7 @@
+ void __user *oldval, size_t __user *oldlenp,
+ void __user *newval, size_t newlen, void **context)
+ {
+- int len;
++ unsigned long len;
+
+ sysctl_poolsize = random_state->poolinfo.POOLBYTES;
+
+@@ -1916,7 +1916,7 @@
+ * write case happens twice; it's harmless).
+ */
+ if (newval && newlen) {
+- len = newlen;
++ len = (unsigned long) newlen;
+ if (len > table->maxlen)
+ len = table->maxlen;
+ if (copy_from_user(table->data, newval, len))
+
+
+
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/030-moxa_user_copy_checking.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/030-moxa_user_copy_checking.dpatch 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/030-moxa_user_copy_checking.dpatch 2005-01-08 09:48:00 UTC (rev 2184)
@@ -0,0 +1,69 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: [SECURITY] make the moxa driver check user supplied lengths before doing copy_from_users
+## DP: Patch author: Andres Salomon <dilinger@voxel.net>
+## DP: Upstream status: not yet submitted
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+Revision: linux-drivers-char--moxa-overflow--0--patch-1
+Archive: dilinger@voxel.net--2005-public
+Creator: Andres Salomon <dilinger@voxel.net>
+Date: Fri Jan 7 18:05:38 EST 2005
+Standard-date: 2005-01-07 23:05:38 GMT
+Modified-files: moxa.c
+New-patches: dilinger@voxel.net--2005-public/linux-drivers-char--moxa-overflow--0--patch-1
+Summary: sanity check dltmp.len size before all copy_from_user() calls
+Keywords:
+
+Make sure the length we're passing copy_from_user() is never negative or
+too large for moxaBuff.
+
+
+
+* modified files
+
+--- orig/drivers/char/moxa.c
++++ mod/drivers/char/moxa.c
+@@ -1666,7 +1666,7 @@
+
+ if(copy_from_user(&dltmp, argp, sizeof(struct dl_str)))
+ return -EFAULT;
+- if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS)
++ if(dltmp.cardno < 0 || dltmp.cardno >= MAX_BOARDS || dltmp.len < 0)
+ return -EINVAL;
+
+ switch(cmd)
+@@ -2775,6 +2775,8 @@
+ void __iomem *baseAddr;
+ int i;
+
++ if(len < 0 || len > sizeof(moxaBuff))
++ return -EINVAL;
+ if(copy_from_user(moxaBuff, tmp, len))
+ return -EFAULT;
+ baseAddr = moxaBaseAddr[cardno];
+@@ -2822,7 +2824,7 @@
+ void __iomem *baseAddr;
+ int i;
+
+- if(len > sizeof(moxaBuff))
++ if(len < 0 || len > sizeof(moxaBuff))
+ return -EINVAL;
+ if(copy_from_user(moxaBuff, tmp, len))
+ return -EFAULT;
+@@ -2842,6 +2844,8 @@
+ void __iomem *baseAddr, *ofsAddr;
+ int retval, port, i;
+
++ if(len < 0 || len > sizeof(moxaBuff))
++ return -EINVAL;
+ if(copy_from_user(moxaBuff, tmp, len))
+ return -EFAULT;
+ baseAddr = moxaBaseAddr[cardno];
+
+
+
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/031-sg_scsi_ioctl_int_overflows.dpatch 2005-01-08 09:48:00 UTC (rev 2184)
@@ -0,0 +1,43 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix exploitable hole in sg_scsi_ioctl
+## DP: Patch author: James Bottomley <James.Bottomley@SteelEye.com>
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/07 16:38:51-05:00 jejb@mulgrave.(none)
+# Fix exploitable hole in sg_scsi_ioctl
+#
+# in_len and out_len are signed quantites copied from
+# user space but are only checked to see if they're >
+# PAGE_SIZE. The exploit would be to pass in a negative
+# quantity which would pass the check.
+#
+# Fix by making them unsigned.
+#
+# Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
+#
+# drivers/block/scsi_ioctl.c
+# 2005/01/07 16:36:05-05:00 jejb@mulgrave.(none) +2 -1
+# Fix exploitable hole in sg_scsi_ioctl
+#
+diff -Nru a/drivers/block/scsi_ioctl.c b/drivers/block/scsi_ioctl.c
+--- a/drivers/block/scsi_ioctl.c 2005-01-07 17:24:38 -08:00
++++ b/drivers/block/scsi_ioctl.c 2005-01-07 17:24:38 -08:00
+@@ -339,7 +339,8 @@
+ struct gendisk *bd_disk, Scsi_Ioctl_Command __user *sic)
+ {
+ struct request *rq;
+- int err, in_len, out_len, bytes, opcode, cmdlen;
++ int err;
++ unsigned int in_len, out_len, bytes, opcode, cmdlen;
+ char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
+
+ /*
Modified: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-5
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-5 2005-01-08 08:21:53 UTC (rev 2183)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/series/2.6.9-5 2005-01-08 09:48:00 UTC (rev 2184)
@@ -6,4 +6,7 @@
+ powerpc-g5-thermal-management-update.dpatch
+ powerpc-misc-powermac-fixes.dpatch
+ powerpc-prep-powerstack-irq.dpatch
-+ sec_brk-locked.dpatch
++ 028-do_brk_security_fixes.dpatch
++ 029-random_poolsize_overflow.dpatch
++ 030-moxa_user_copy_checking.dpatch
++ 031-sg_scsi_ioctl_int_overflows.dpatch